Privacy Law
AB-1651: As ‘Workplace’ Extends to Our Homes, Can Employers Still Conduct Worker Monitoring?
By: Jeewon Kim Serrato, Jerel Pacis Agatep, and Jenny Ha
July 2022
If there is one thing that could be considered a silver lining of the COVID-19 pandemic, it is the accelerated discussion of employee privacy issues and workplace monitoring. The mass movement to remote work in recent years has put the spotlight on whether and how employees have privacy rights. In our March 2021 newsletter, we highlighted the top six workplace monitoring issues employers should be considering: email and text, telephone and voicemail, video surveillance, GPS and cellphone location, social media, and keystroke and productivity monitoring. These topics are now being pointedly addressed in a new California bill, AB-1651, aptly labeled the “Workplace Technology Accountability Act,” as the debate surrounding employee privacy heats up again in California.
Introduced by Assemblymember Ash Kalra, AB-1651 seeks to amend parts of the Government Code and Labor Code in line with the intent of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The CPRA extends the CCPA exemption for personal information collected from “workplace members”[1] but is set to expire on January 1, 2023. AB-1651 would confer corresponding “worker”[2] rights and employer obligations in connection with the collection and use of worker data. Additionally, the bill addresses work-from-home monitoring and the use of algorithms and artificial intelligence with employee data. Lastly, and quite unlike the CPRA, which excludes government agencies, AB-1651 applies not only to businesses but also to state and local government entities.
Below, we provide a high-level summary of some key provisions of AB-1651 and what to expect in terms of employee privacy issues in the next year as the debate continues in the California legislature.
Worker Data Rights
Notice Requirement – Similar to CPRA’s notice requirement, AB-1651 would require employers, at or before the point of collection, to inform workers regarding the categories of worker data collected, the purpose of collecting data, if the data is related to the worker’s essential job functions, and if it will be used in making or assist in making employment-related decisions. Additionally, employers must inform workers whether the data will be deidentified, used in an aggregated form or shared with third parties. Lastly, employers must also inform workers of the employers’ data retention policies, the workers’ rights to access and to correct their data (discussed further below), and any data protection impact assessments (DPIA) or worker information systems (WIS) that are being actively investigated by the Labor and Workforce Development Agency (LWDA).
Right to Access – Similar to CPRA’s right to access, AB-1651 would require employers to provide, upon receipt of verifiable request, the categories and pieces of worker data retained, the purpose and sources of data collection, whether the data is related to the worker’s essential job functions or employment decisions, whether the data is involved in an automated decision system (ADS; discussed further below), and the names of any third parties from whom the data is obtained or to whom the data is disclosed.
Right to Correct – Similar to CPRA’s right to correct inaccurate information, AB-1651 would require employers to keep worker data accurate, which in turn creates a worker’s right to request correction of inaccurate worker data. However, this does not apply to “subjective information, opinions, or other nonverifiable facts.” In our opinion, this may include performance reviews and performance improvement plans.
Limited Use of Worker Data – AB-1651 would impose on employers the obligation to limit data collection and use to that which is “strictly necessary” for certain allowable purposes, including but not limited to allowing workers to accomplish an essential job function, administering wages and benefits, and assessing worker performance. Additionally, employers cannot sell or license worker data, including deidentified or aggregated data. Lastly, employers can disclose or transfer worker data to a third party only pursuant to a contract that prohibits sale or licensing of that data and that stipulates that the third party must have reasonable data security protections. However, biometric, health or wellness data cannot be disclosed or transferred to any third party unless required by law.
Workplace Monitoring
Notice Requirement – AB-1651 would require employers to provide workers notice of electronic monitoringbefore monitoring begins. This section of the bill details the notice requirements, including but not limited to listing the purpose of the monitoring; describing the technology used; providing the dates, times, and frequency of the monitoring; and explaining why that form of monitoring is “strictly necessary” and the “least invasive means” for an allowable purpose. The notice must also be “clear and conspicuous”; it cannot simply state electronic monitoring “may” take place. Note that while these are stringent requirements to keep workers aware of how employers monitor them, they fall short of requiring consent.
Ongoing Notice Obligation – Employers would also have ongoing notice obligations annually and when their monitoring significantly changes.
Limited Use of Workplace Monitoring – AB-1651 would prohibit the use of workplace monitoring unless all of the following conditions are met: the monitoring is “strictly necessary” to accomplish one of the listed allowable purposes and is the “least invasive means” to accomplish that purpose; it is limited to the smallest number of workers and collects the least amount of data necessary; and the worker data collected will be accessed only by authorized agents and within the notified duration of monitoring.
Essentially, this section of the bill would codify some of the best practices we have described in our newsletter. For instance, (1) limit the minimum number of workers and amount of data necessary, (2) do not monitor workers who are not doing work-related tasks, (3) do not monitor workers who are exercising their legal rights, and (4) do not monitor workers where they have “reasonable expectation of privacy,” including locker rooms, changing areas, and break rooms.
Facial Recognition Prohibited – AB-1651 prohibits the use of electronic monitoring systems that incorporate facial recognition, gait, or emotion recognition technology.
Remote Workplace Monitoring Must Be “Strictly Necessary” – As pointed out in our newsletter, generally, California employers that want to monitor their remote workers can do so by balancing their legitimate business reasons with the worker’s “reasonable expectation of privacy.” That will change if AB-1651 passes. AB-1651 prohibits the use of audio-visual monitoring of a workplace in a worker’s residence, personal vehicle, or property, unless it is “strictly necessary” to ensure worker health and safety or the security of employer data, or fulfills other similarly compelling purposes.
In line with that, workers would have the right to decline to install data collection or transmission applications on personal devices, unless the monitoring is “strictly necessary” to perform essential job functions. Lastly, GPS applications and devices would also have to be proactively disabled outside of work times and activities.
Workplace Monitoring and Employment Decision-Making – AB-1651 would prohibit relying solely on worker data collected through electronic monitoring when making employment decisions such as hiring, promotion, termination, and other disciplinary actions. The employer must have independent information from its own assessment to corroborate the electronic monitoring data before making any employment decision.
Automated Decision Systems
A large portion of this bill is dedicated to automated decision systems, or ADS. An ADS is “a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes or assists an employment-related decision.” Whether or not this bill passes, the specific inclusion of such technology signals that legislation geared toward regulating the use of artificial intelligence (AI) in the workplace is just starting. For example, in March 2022, the California Fair Employment & Housing Council drafted modifications to California’s employment anti-discrimination laws that would impose liability on companies or third parties administrating AI tools that have a discriminatory impact on screening job applicants or that make other employment decisions.
Continuing the theme of the entire bill, AB-1651 would require employers using ADS to (1) provide notice, which would be an ongoing obligation, (2) limit the use of ADS in making employment-related decisions, and (3) not solely rely on ADS output to make an employment-related decision and instead conduct an independent evaluation to corroborate the ADS output.
This evaluation includes a new term, “meaningful human oversight,” which requires a designated internal reviewer who has sufficient power, resources, and expertise to investigate and understand the ADS and its outputs. When the employer does use ADS output as part of a decision, the employer must explain the decision to the affected worker. Furthermore, ADS outputs regarding a worker’s health cannot be the basis for any employment-related decision.
Lastly, employers must conduct impact assessments, known as an “Algorithmic Impact Assessment” (AIA), by independent assessors with relevant experience. AB-1651 describes the requirements and process of the assessment, including a review and comment period for workers potentially affected by the ADS. An employer must also publish an AIA summary on its website upon submitting the AIA to the LWDA.
Enforcement and Private Right of Action
AB-1651 would give workers a private right of action for injunctive relief and recovery of civil penalties and attorney’s fees. The bill also confers on the LWDA the authority to enforce and assess penalties and collect copies of notices under the reporting requirements throughout this bill. Penalties range from $100 to $20,000 per violation.
Takeaways
Employers have not previously faced significant regulation when it comes to monitoring their workers. However, the new business obligations in the CPRA and as contemplated in AB-1651 signal that employers should carefully review their privacy controls before rolling out any business practices that impact employees’ privacy rights. Prior to the COVID-19 pandemic and the proliferation of work-from-home arrangements, most employees had more separation between their homes and their workplaces. Now that the “workplace” has crept into every corner of our homes and lives and is not limited to a building downtown, worker privacy and remote monitoring are again front and center. Similar to CPRA and AB-1651 in California, employers should review new and evolving state and local requirements as they are enacted, including the new regulations in New York and New Jersey.
As we have previously advised as best practice, we recommend employers (1) review definitions of “expectation of privacy” in the workplace, (2) notify employees of the types and purposes of workplace monitoring, (3) obtain voluntary consent when possible, and (4) have in place reasonable protocols and safeguards to secure employee information.
Note: As of the posting of this blog, AB-1651 had been read a second time, amended, and re-referred to the Assembly Committee on Privacy and Consumer Protection. If it is to pass, the bill must have its third reading, reach a majority vote, and continue on to the Senate. The CPRA, on the other hand, will become operative on January 1, 2023 and provide full consumer rights to employees if no amendments to the law are passed before the legislature goes into recess in August.
[1] For purposes of this blog, “workplace member” is a “job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of a business.” Cal. Civ. Code §1798.145(m).
[2] “Worker” means “any natural person or their authorized representative acting as a job applicant to, an employee of, or an independent contractor providing service to, or through, a business or a state or local governmental entity in any workplace.” AB-1651 §1522(n).